Update: DragonForce Introduces Cartel Model to Expand Ransomware Operations
DragonForce is shifting the ransomware landscape by building a cartel-style structure that lets other ransomware groups operate under their umbrella without managing their infrastructure. Through a new distributed affiliate branding model, DragonForce offers affiliates access to its negotiation tools, storage for stolen data, and malware deployment services while allowing them to maintain their brand identity. Affiliates simply carry out attacks using DragonForce’s backend while keeping their public-facing image separate, paying only a 20% share of ransom payments to DragonForce. This removes the need for affiliates to develop their malware, manage data leak sites, or handle negotiations, cutting operational costs and technical demands. While DragonForce claims to follow a “moral code” by avoiding attacks on specific critical healthcare targets, it remains heavily financially motivated. Although Black Market and Botnet Data sections currently have limited activity, DragonForce expects these areas to surface valuable intelligence eventually. The new model positions DragonForce as a marketplace for ransomware groups, aiming to attract seasoned actors and those with fewer technical skills. Affiliates can either carry out attacks under the DragonForce brand or launch operations under a completely separate brand while still relying on DragonForce’s maintained servers and administration. Strict rules are enforced, and affiliates risk removal if they fail to follow guidelines, ensuring DragonForce controls operations tightly. Researchers believe this model will likely grow their affiliate network and boost profits by offering flexibility that other traditional RaaS programs lack. DragonForce claims several well-known ransomware groups have already expressed interest, and a new group called RansomBay has officially joined. By removing the burden of technical maintenance and offering ready-made tools, DragonForce is making it easier for more threat actors to enter the ransomware market and scale attacks faster.
Earth Kurma Targets Southeast Asia in Stealthy Espionage Campaign
A new APT group known as Earth Kurma has been targeting Government and Telecommunications sectors across Southeast Asia since June 2024, using a sophisticated mix of custom malware, rootkits, and cloud services for data exfiltration. Countries impacted include the Philippines, Vietnam, Thailand, and Malaysia. The group’s operations date back to late 2020 and involve using Dropbox and OneDrive to steal sensitive documents with malware families like TESDAT, SIMPOBOXSPY, KRNRAT, and Moriya. While initial access methods remain unknown, once inside, the attackers move laterally using scanning and hacking tools such as NBTSCAN, Ladon, FRPC, and WMIHACKER and deploy keyloggers like KMLOG to harvest credentials. Persistence is maintained through loaders DUNLOADER, TESDAT, and DMLOADER, which deliver advanced payloads including Cobalt Strike Beacons and sophisticated rootkits. Earth Kurma distinguishes itself by relying heavily on living-off-the-land techniques, abusing legitimate Windows system components like syssetup.dll to install rootkits while avoiding traditional malware detection. KRNRAT and Moriya inject backdoors into system processes to maintain access and conceal traffic. Document files are collected, archived with WinRAR, and exfiltrated to cloud platforms using custom tools like SIMPOBOXSPY and ODRIZ. Although there are overlaps with another known group, ToddyCat, a direct link has not been confirmed. Trend Micro’s analysis shows that Earth Kurma is highly adaptable, can modify its toolsets based on the victim’s environment, and even repurpose infrastructure for long-term stealth. The group remains an active and persistent threat in the region, indicating a broader, ongoing espionage effort.
Storm-1977 Targets Education Sector Cloud Tenants Through Password Spraying and Cryptojacking
Microsoft has identified a threat actor, Storm-1977, who has been actively conducting password-spraying attacks against cloud tenants in the Education sector over the past year. The group uses AzureChecker[.]exe, which connects to an external server to retrieve AES-encrypted data containing a list of target accounts. Attackers combine this information with a locally stored file, "accounts[.]txt," filled with username and password combinations to automate credential validation against multiple tenants. In a confirmed breach, Storm-1977 exploited a compromised guest account to create a new resource group inside the victim’s Azure subscription, deploying over 200 containers for illicit cryptocurrency mining. This activity highlights the evolving threat where attackers aim to gain access and abuse cloud infrastructure for financial gain through resource-intensive operations like cryptojacking. Microsoft’s analysis emphasizes the broader risks to containerized cloud environments, where attackers can exploit compromised credentials, vulnerable container images, or misconfigured Kubernetes APIs to escalate privileges or deploy malicious payloads. Containers, registries, and nodes are all potential entry points if they lack proper hardening. Microsoft recommends organizations secure their container environments by enforcing trusted registry use, implementing strict deployment policies, monitoring Kubernetes API activity for unusual behavior, and ensuring all deployed images are patched and free of vulnerabilities. Without these controls, threat actors can easily expand an initial foothold into a broader compromise, leading to resource abuse, persistent access, or full control over cloud infrastructure.
